A control method and an apparatus for network admission, which can control network admission of a wireless termination point (WTP) in a condition that a live network is not upgraded. In the method, an access controller (AC) that has a network admission control function receives a join request packet from a WTP and establishes a Control and Provisioning of Wireless Access Points (CAPWAP) connection with the WTP. If the CAPWAP connection between the AC and the WTP is successfully established, the AC enables permission of the WTP. In another control method for network admission disclosed in the present application, an AC receives a join request packet from a WTP and establishes a CAPWAP connection with the WTP. A network admission end enables permission of the WTP according to a result from the AC that the connection between the AC and the WTP is successfully established.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A control method for network admission comprising: enabling, by an access controller (AC), a first permission of a wireless termination point (WTP), wherein the first permission of the WTP is configured to allow only packets accessing a Control and Provisioning of Wireless Access Points (CAPWAP) port of the AC; receiving a join request packet that accesses the CAPWAP port from the WTP when the first permission of the WTP is enabled; establishing a CAPWAP connection with the WTP; and enabling, by the AC, a second permission of the WTP when the CAPWAP connection between the AC and the WTP is successfully established, wherein the second permission of the WTP is configured to allow any packet sent from the WTP.
A network admission control method uses an access controller (AC) to manage wireless termination point (WTP) access. Initially, the AC enables a restricted permission for the WTP, allowing only traffic to the AC's CAPWAP port. When the WTP sends a join request to this port, the AC establishes a CAPWAP connection. Upon successful connection, the AC enables a second, unrestricted permission, allowing any traffic from the WTP to pass through the network. This method controls network access without requiring upgrades to the existing network infrastructure.
2. The method according to claim 1 , wherein before receiving, by the AC, the join request packet, the method further comprises: acquiring, by the AC, a result of Media Access Control (MAC) authentication on the WTP; and enabling, by the AC, the first permission of the WTP to only allow access to the CAPWAP port of the AC after the MAC authentication on the WTP succeeds.
Building on the previous network admission method, before the AC receives the join request packet, it first performs Media Access Control (MAC) authentication on the WTP. The AC enables the restricted permission, allowing only access to the CAPWAP port, only after the MAC authentication is successful. This adds a layer of security by verifying the WTP's MAC address before allowing it to attempt to connect to the network.
3. The method according to claim 2 further comprising: acquiring, by the AC, a result of IEEE 802.1X authentication on the WTP; and enabling, by the AC, the first permission of the WTP to only allow access to the CAPWAP port of the AC after the IEEE 802.1X authentication on the WTP fails.
Expanding on the previous method involving MAC authentication, the AC also performs IEEE 802.1X authentication on the WTP. Critically, the restricted permission, allowing only CAPWAP port access, is enabled *only* if the 802.1X authentication *fails*. This allows devices that fail enterprise authentication to still gain limited access for initial provisioning and connection establishment.
4. The method according to claim 3 further comprising acquiring, by the AC and from the join request packet, at least one of an IP address of the WTP or a MAC address of the WTP, wherein the IP address of the WTP is a source IP address of the join request packet, wherein the MAC address of the WTP is a source MAC address of the join request packet, and wherein enabling, by the AC, the second permission of the WTP comprises: writing, by the AC, the acquired at least one of the IP address of the WTP or the MAC address of the WTP into an ACL; and writing, by the AC, information about allowing any packet from the WTP into the ACL.
Further elaborating on the method with MAC and 802.1X authentication, the AC extracts the WTP's IP and/or MAC address from the join request packet. The IP address is the source IP, and the MAC address is the source MAC. When the CAPWAP connection succeeds, the AC updates an Access Control List (ACL). It adds the WTP's IP or MAC address to the ACL and also adds a rule allowing all traffic from the WTP. This enables full network access after successful CAPWAP connection.
5. The method according to claim 2 further comprising acquiring, by the AC and from the join request packet, at least one of an IP address of the WTP or a MAC address of the WTP, wherein the IP address of the WTP is a source IP address of the join request packet, wherein the MAC address of the WTP is a source MAC address of the join request packet, and wherein enabling, by the AC, the second permission of the WTP comprises: writing, by the AC, the acquired at least one of the IP address of the WTP or the MAC address of the WTP into an access control list (ACL); and writing, by the AC, information about allowing any packet sent from the WTP into the ACL.
Expanding on the method involving MAC authentication, the AC extracts the WTP's IP and/or MAC address from the join request packet. The IP address is the source IP, and the MAC address is the source MAC. When the CAPWAP connection succeeds, the AC updates an Access Control List (ACL). It adds the WTP's IP or MAC address to the ACL and also adds a rule allowing all traffic from the WTP. This enables full network access after successful CAPWAP connection.
6. The method according to claim 1 further comprising: acquiring, by the AC, a result of Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication on the WTP; and enabling, by the AC, the first permission of the WTP to only allow access to the CAPWAP port of the AC after the IEEE 802.1X authentication on the WTP fails.
In this network admission method, the AC performs IEEE 802.1X authentication on the WTP. The AC enables the restricted permission, allowing only CAPWAP port access, only after the 802.1X authentication *fails*. This allows devices that fail enterprise authentication to still gain limited access for initial provisioning and connection establishment.
7. The method according to claim 6 further comprising acquiring, by the AC and from the join request packet, at least one of an IP address of the WTP or a MAC address of the WTP, wherein the IP address of the WTP is a source IP address of the join request packet, wherein the MAC address of the WTP is a source MAC address of the join request packet, and wherein enabling, by the AC, the second permission of the WTP comprises: writing, by the AC, the acquired at least one of the IP address of the WTP or the MAC address of the WTP into an ACL; and writing, by the AC, information about allowing any packet from the WTP into the ACL.
Building on the previous method where 802.1X authentication failure triggers limited CAPWAP access, the AC extracts the WTP's IP and/or MAC address from the join request packet. The IP address is the source IP, and the MAC address is the source MAC. When the CAPWAP connection succeeds, the AC updates an Access Control List (ACL). It adds the WTP's IP or MAC address to the ACL and also adds a rule allowing all traffic from the WTP, enabling full network access.
8. The method according to claim 1 further comprising acquiring, by the AC and from the join request packet, at least one of an Internet Protocol (IP) address of the WTP or a MAC address of the WTP, wherein the IP address of the WTP is a source IP address of the join request packet, wherein the MAC address of the WTP is a source MAC address of the join request packet, and wherein enabling, by the AC, the second permission of the WTP comprises: writing, by the AC, the acquired at least one of the IP address of the WTP or the MAC address of the WTP into an access control list (ACL); and writing, by the AC, information about allowing any packet from the WTP into the ACL.
In this network admission method, the AC extracts the WTP's IP and/or MAC address from the join request packet. The IP address is the source IP, and the MAC address is the source MAC. When the CAPWAP connection succeeds, the AC updates an Access Control List (ACL). It adds the WTP's IP or MAC address to the ACL and also adds a rule allowing all traffic from the WTP. This enables full network access after successful CAPWAP connection.
9. An access controller (AC) comprising: an Ethernet chip; and a processor, wherein the processor is configured to: enable a first permission of a wireless termination point (WTP), wherein the first permission of the WTP is configured to allow only packets accessing a Control and Provisioning of Wireless Access Points (CAPWAP) port of the AC; receive a join request packet that accesses the CAPWAP port from the WTP using the Ethernet chip when the first permission of the WTP is enabled; establish a CAPWAP connection with the WTP; and enable a second permission of the WTP when the CAPWAP connection between the AC and the WTP is successfully established, wherein control of the second permission of the WTP by the processor is implemented by controlling the Ethernet chip, and wherein the Ethernet chip is configured to allow any packet from the WTP by controlling of the second permission of the WTP.
An access controller (AC) contains an Ethernet chip and a processor to manage WTP network admission. The processor initially configures the Ethernet chip to allow a WTP only CAPWAP port access. When the WTP sends a join request, the Ethernet chip receives it, and the processor establishes a CAPWAP connection. If successful, the processor reconfigures the Ethernet chip to allow *all* traffic from the WTP, granting full network access. The Ethernet chip handles the actual packet filtering based on the processor's instructions.
10. The AC according to claim 9 , wherein the processor is further configured to: acquire a result of Media Access Control (MAC) authentication on the WTP before receiving the join request packet; and enable the first permission of the WTP to only allow access to the CAPWAP port of the AC after the MAC authentication on the WTP succeeds.
The access controller from the previous description also performs Media Access Control (MAC) authentication on the WTP before allowing any connection attempts. The processor is configured to only allow the limited, CAPWAP-only access if the MAC authentication is successful. This prevents unauthorized devices with unknown MAC addresses from even attempting to establish a CAPWAP connection.
11. The AC according to claim 9 , wherein the processor is further configured to: acquire a result of Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication on the WTP; and enable the first permission of the WTP to only allow access to the CAPWAP port of the AC after the IEEE 802.1X authentication on the WTP fails.
The access controller from the previous description is also configured to perform IEEE 802.1X authentication. The processor only allows the limited CAPWAP port access if the 802.1X authentication fails. This provides a fallback mechanism for devices that are not able to authenticate using 802.1X, allowing them to still connect via CAPWAP for management purposes.
12. The AC according to claim 9 , wherein the processor is further configured to: acquire, from the join request packet, at least one of an Internet Protocol (IP) address of the WTP or a MAC address of the WTP, wherein the IP address of the WTP is a source IP address of the join request packet, and wherein the MAC address of the WTP is a source MAC address of the join request packet; write the acquired at least one of the IP address of the WTP or the MAC address of the WTP into an access control list (ACL) of the Ethernet chip; and write information about allowing any packet from the WTP into the ACL.
The access controller's processor extracts the WTP's IP and/or MAC address from the join request packet (IP is source IP, MAC is source MAC). Then, it writes this IP/MAC address, along with a rule allowing all traffic from that address, into the Ethernet chip's Access Control List (ACL). This configuration change within the Ethernet chip is what ultimately allows the WTP to transmit any packet on the network.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 30, 2015
July 4, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.